iptables rules processing speed depends on RAM, CPU or HDD the most?

postcd

Member
Registered
Joined
Jul 8, 2012
Messages
32
Points
8
Hello,

when one want to block lets say 100 000 entries in netfilter/iptables, i read somewhere that it can be problem regarding speed (slow).
I have not tried.

So i wanted to ask what is limiting factor for fast processing of the iptables rules in case blocklist is very long and if it can be somehow prevented. (example by using ramdisk or by doing work in RAM)

I read about ipset but had no opportunity and time to try it, in this case i am interested just in iptables without ipset.

Someone mentioned that restarting iptables with many rules can take minutes so here again interested to know how to dramatically reduce time while still having many iptables entries.
 

UnderHost

Member
Registered
Joined
Sep 5, 2016
Messages
42
Points
8
The main limits of iptables is your CPU that where the slowness will come from. If you have 100 000 entries, I would definitely go with ipset it's fairly easy to implement but it could also be the right time for you to switch to a hardware firewall.

If you are using a 64bits OS, I would not go past 50k entries.
 
Older Threads
Replies
7
Views
5,451
Replies
16
Views
11,171
Replies
12
Views
4,367
Newer Threads
Replies
4
Views
3,513
Replies
3
Views
3,067
Replies
7
Views
4,210
Latest Threads
Replies
0
Views
24
Replies
1
Views
36
Replies
0
Views
29
Replies
2
Views
88
Replies
0
Views
77
Recommended Threads

Latest postsNew threads

Latest Hosting OffersNew Reviews

Sponsors

Tag Cloud

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top